Completely hide sendmail version in telnet>25 session
Jeff Ramsey
my sendmail server to the rest of the world.
I know it's not going to keep undesirable
activity out of the server, but at least it
might buy me some time to upgrade after the
announcement of a vulnerability. I could change
the version string in my cf file, but would that
wreck havok with my service? Also, the bat book
says that the version ($v) string is hard-coded
into the executable when you start it. I took
out the helpfile, changed the banner and headers
to be versionless, I still get Sendmail version
8.11.6XXXXX when I type help at a telnet prompt.
I want it completely gone. Is is possible?
--
Jeff Ramsey
jeffATtubaforDOTcom
"Can I 'ave eggs, bacon, sausage and spam without the spam?"
"Bleeeaaaahhhh!"
- Monty Python's Flying Circus
Suresh Ramasubramanian
> I am trying to hide the version number of
> my sendmail server to the rest of the world.
> I know it's not going to keep undesirable
> activity out of the server, but at least it
Yeah right. Security by obscurity. Anyway, Take a look at
>>>> confSMTP_LOGIN_MSG SmtpGreetingMessage
-suresh
Jeff Ramsey
I have changed this, and it helped for the greeting,
but if I type help, if the help file is there, it
displays it. If the /etc/mail/helpfile is not there,
the HELP command just replies with "502 5.0.3 HELP
not implimented" and "Sendmail 8.11.3" [1] This is
the place where I cannot hide the version number.
I do not want to have the help file, but I want no
version number also. Would it work to put a blank
helpfile in there?
Jeff Ramsey
Robert Clark
<ram...@localhost.localdomain> wrote:
Yes. Perhaps you might have tried that before posting the latest message?
% rm /etc/mail/helpfile
% touch /etc/mail/helpfile
James A Griffin
Slightly off topic (SOT) for sendmail, but useful nonetheless. See Jay
Beale's paper _"Security Through Obscurity" Ain't What They Think_ at
http://www.securityportal.com/beale/beale20010720.html
The points are that using "Obscurity" in place of authentication to keep
you safe is foolish but deliberately hiding information that is of use
to an adversary just makes their job harder even if it does not
ultimately add protection from a determined attack.
I have a secured facility (note I do not say a "secure facility") that
has two levels of physical access control and three levels of intrusion
detection. Two of the three levels are "advertised": 1) the door with
its tamper resistant locks and 2) a sign telling about "The Alarm
System". These keep most every one from even attempting to gain
unauthorized entry. The third level of intrusion detection (hidden or
obscured, if you prefer) is there to catch the ones that ignore the
first two. What would be gained by disclosing the existence of the
third layer?
In a multi-layered approach to defense (security), any low-cost action
that deters or delay an attacker is usually cost effective.
Regards,
Jim
P.S. For those that do not recognize Jay Beale's name, here is a brief
bio:
> Jay Beale is the Lead Developer of the Bastille Linux Project, which creates a
> wildly popular security-tightening program. Jay is lucky enough to have his work
> on Bastille sponsored by MandrakeSoft. Jay is the author of a number of articles
> on Unix/Linux security, along with the upcoming book "Securing Linux the
> Bastille Way," to be published by Addison Wesley. You can learn more about his
> articles, talks and favorite security links via http://www.bastille-linux.org/jay.
Claus Aßmann
> I am trying to hide the version number of
> my sendmail server to the rest of the world.
> I took
> out the helpfile, changed the banner and headers
> to be versionless, I still get Sendmail version
> 8.11.6XXXXX when I type help at a telnet prompt.
> I want it completely gone. Is is possible?
Put the helpfile back and edit it: change
smtp This is sendmail version $v
to
smtp This is super secret MTA 3.2.1
--
If you feel the urgent wish to send me a courtesy copy of a Usenet
posting, then make sure it's recognizable as such!
The FAQ: http://www.sendmail.org/faq/ Before you ask.
G. Roderick Singleton
You don't need to remove it. Simply edit it and change the following
to whatever you like:
smtp This is sendmail version $v
--
________________________________________________________________________________
G. Roderick Singleton, <gsing...@home.com>
________________________________________________________________________________
"We of the West add degree upon degree, as stucco troweled on chicken
netting tacked to shoddy wooden framing. Real education ... it is not
the laying of one layer, it is the opposite, it is attrition, peeling
away, wearing away superfluities, as an artist in jade wears away the
rubbish, untul the goddess, the flower, the stallion from the beginning
in the heart of the jade is revealed. Education is not adding. It is
scraping away garbage, trash, revealing hidden realiity." E. Hoffman
Price
Jeff Ramsey
Thank you all for the help. It worked it great.
Jeff
Suresh Ramasubramanian
[snip a lot of followups]
[snip a longish sig file]
> Thank you all for the help. It worked it great.
-suresh
Jeff Ramsey
>
> Thank you for trimming stuff before you post :)
>
> -suresh
Sorry. My bad.
Jeff